You are here

January 2013 Cyber Incident

The Department of Energy (DOE) has confirmed a recent cyber incident that occurred in mid-January 2013 which targeted the Headquarters' network and resulted in the unauthorized disclosure of employee and contractor Personally Identifiable Information (PII).

1. How did the possible disclosure of personally identifiable information happen?

Department of Energy networks and employee and contractor information hosted on these networks are protected in accordance with federal laws and Department of Energy policies. We do know that this incident was a sophisticated attack that appears to have originated from overseas and is therefore being investigated as a national security issue, although no classified networks or information were involved. We are working with interagency partners on actions that can be taken against those responsible and to reduce the likelihood of another successful attack.

The Department’s Cybersecurity Team identified and stopped this malicious attack while it was in progress, preventing further damage. The Cybersecurity Team’s quick response enabled robust analysis that will help the Department understand how this attack happened and reduce the likelihood of these events occurring again. At this time, it appears no encrypted documents or information were obtained by the perpetrators.

2. Who may be affected?

As part of the investigation, the Department is determining which employees’ and contractors’ Personally Identifiable Information (PII) was affected. The files containing PII made up less than 1 percent of the total number of files known to be compromised. The Department has identified approximately 1,500 individuals whose name and social security number was potentially affected by this criminal attack.

The Department is notifying these individuals and offering assistance on steps they can take to protect themselves against potential fraud or identity theft. These employees and contractors will be offered one year of free credit monitoring services.

3. How can I tell if my information was compromised?

DOE employees and contractors who do not receive a personal notice by February 28, 2013 should assume it is highly unlikely their PII was potentially affected. If DOE determines your PII was affected you will be notified, regardless of the date of discovery.

Based on the findings of the Department’s investigation into this incident, we do not believe PII theft was the primary purpose of the attack. However, the Department encourages each affected individual to be extra vigilant and to carefully monitor bank statements, credit card statements, emails and phone calls relating to recent financial transactions. More information on preventing, detecting and recovering from identity theft is available here: http://www.consumer.gov/section/scams-and-identity-theft.

4. I haven’t noticed any suspicious activity in my financial statements, but what can I do to protect myself from being victimized by credit card fraud or identity theft?

The Department recommends that individuals closely monitor their financial statements and visit the Federal Trade Commission’s Consumer Information web page at http://www.consumer.ftc.gov/topics/privacy-identity for further information on protecting your privacy and identity.

5. Where should I report suspicious or unusual activity?

The Federal Trade Commission (FTC) recommends the following steps if you detect suspicious activity:

Contact the fraud department of one of the three major credit bureaus:

You may also notify the Department of Energy Privacy Office within the Office of the Chief Information Officer. This should not be done instead of contacting your local police and the Federal Trade Commission.

7. How is the Department of Energy responding to this attack?

The Department is implementing a full network remediation plan. The Department continues to work with our interagency partners to take aggressive steps to reduce the likelihood of these events occurring again, including:

Working with public and private sector partners to further harden our networks against attack;

Conducting deep network scans to ensure the malware has been removed and cannot be restarted;